Upload
vadin
View
27
Download
0
Embed Size (px)
DESCRIPTION
Cryptographic Protocols for Electronic Voting. David Wagner UC Berkeley. David Wagner, UC Berkeley. The Problem with Paperless Voting. Unverified software must be presumed malicious - PowerPoint PPT Presentation
Citation preview
David Wagner, UC BerkeleyDavid Wagner, UC Berkeley
Cryptographic Protocols for Electronic
VotingDavid WagnerUC Berkeley
David Wagner, UC Berkeley
The Problem with Paperless Voting
• Unverified software must be presumed malicious• How do you know whether your vote will be counted
correctly, when voting machine software can record one thing and tell you another?
No rational basis for trust in election results
David Wagner, UC Berkeley
David Wagner, UC Berkeley
Problem Statement
• The problem: With today’s paperless voting machines, the integrity of the election relies completely on software.
• Goal: The integrity of the election should not be dependent upon the correctness of software.
David Wagner, UC Berkeley
Security Goals for an Election
• Integrity: No election fraud
• Transparency: Everyone must be able to verify that the election was conducted properly
• Privacy: No one learns how the voter has voted
• Secret ballot: Voter cannot prove how she voted
David Wagner, UC Berkeley
In This Talk…
• “The early years”– How to prove ballots were counted correctly
(using crypto)– But: fails to address ballot preparation
• Modern cryptographic voting systems– End-to-end integrity: proving that ballots were cast
and counted as the voter intended (using crypto)
David Wagner, UC Berkeley
Featuring Work By…
Andy NeffDavid Chaum
and
Josh Benaloh Peter RyanSteve Schneider and many others
All ideas in this talk were discovered by others.Any errors are my fault.
David Wagner, UC Berkeley
Cryptographic Voting with Trusted Server
Epk( v(1) )
Epk( v(n) )v((1)) v((n))
David Wagner, UC Berkeley
El Gamal Encryption
• Encrypt votes using El Gamal:E(v) = (gr, hr v) r ← Z/qZ
• Ciphertexts can be blinded (re-randomized):Blind(x, y) = (gs x, hs y) s ← Z/qZ
• Blinding forms a group:Blinds(Blinds’(c)) = Blinds+s’(c)
• Supports threshold decryption
David Wagner, UC Berkeley
Re-encryption Mixnet
c(i) = E(v(i))
d(1) = Blind(c(2))
d(4) = Blind(c(4))
d(2) = Blind(c(3))
d(3) = Blind(c(1))
d(i) = Blind(c((i)))
c(1)
c(2)
c(3)
c(4)
David Wagner, UC Berkeley
(and all necessary blinding factors)
ZK Proof of Correct Shuffling [Benaloh]
• Given: c(1..n), d(1..n)• To prove: c ~ d (i.e., d = c)
Prover Verifier
t = c (for ← Sn)
“prove c ~ t” or “prove d ~ t”
or -1
David Wagner, UC Berkeley
Distributing Trust During Vote-Counting
c 1 c
1
2 1 c
2
Trustee #1 Trustee #2
3 2 1 c
3
Trustee #3 d
Trustees perform threshold decryption of d, and provideZK proof of correct mixing and correct decryption.
Unconditional integrity (even if all trustees collude).Computational privacy, assuming one honest trustee.
David Wagner, UC Berkeley
Criticisms of Early Voting Protocols
• Early protocols got the threat model wrong.– In reality, trust in voter’s computer is unwarranted.
• Early protocols ignored ballot preparation—which turns out to be the hard problem.
David Wagner, UC Berkeley
A Better Voting Machine [Neff]
Voting machine with untrusted software Receipt(enables voter to check that their
vote was counted as intended)
David Wagner, UC Berkeley
Proof of Equality
Prover Verifier“Oh yeah? Prove it!”
“Both envelopes contain the same number”
“They both contain 42”
“Show me what’s in the left one”
David Wagner, UC Berkeley
Proof of Equality
Prover Verifier“Oh yeah? Prove it!”
“Both envelopes contain the same number”
“They both contain 42”
“Show me what’s in the left one”
42
David Wagner, UC Berkeley
Notation
b
b
b
= encryption of b (e.g., = (gr, hr gb))= commitment to b
= randomness used in (e.g., = (r, b))= opened commitment to b
b
b
David Wagner, UC Berkeley
A Special Ballot Encoding
GIULIANI
CLINTON 1 1 0 0 0 0 0 0
0 1 1 0 1 0 0 1
Unencrypted ballot:
This is a votefor Clinton
David Wagner, UC Berkeley
Encrypting The Ballot
GIULIANI
CLINTON 1 1 0 0 0 0 0 0
0 1 1 0 1 0 0 1
Encrypted ballot:
An encrypted votefor Clinton
David Wagner, UC Berkeley
Encrypting The Ballot
GIULIANI
CLINTON 1 1 0 0 0 0 0 0
0 1 1 0 1 0 0 1
Encrypted ballot:
David Wagner, UC Berkeley
Proving the Ballot Was Encrypted Correctly
GIULIANI
CLINTON 1 1 0 0 0 0 0 0
0 1 1 0 1 0 0 1
Encrypted ballot:
Machine proves both bits are the same.
“Open up the right commitment”
“Both bits are 1”
David Wagner, UC Berkeley
Proving the Ballot Was Encrypted Correctly
GIULIANI
CLINTON 1 0 0 0 0 0 0
0 1 1 0 1 0 0 1
Encrypted ballot:
Machine proves both bits are the same.
“Open up the right commitment”
“Both bits are 1”
1
David Wagner, UC Berkeley
Proving the Ballot Was Encrypted Correctly
GIULIANI
CLINTON 1 0 0 0 0 0 0
0 1 1 0 1 0 0 1
Encrypted ballot:
1
David Wagner, UC Berkeley
Proving the Ballot Was Encrypted Correctly
GIULIANI
CLINTON 1 0 0 0 0 0 0
0 1 1 0 1 0 0 1
Encrypted ballot:
Machine proves bothbits are the same.
1
David Wagner, UC Berkeley
Proving the Ballot Was Encrypted Correctly
GIULIANI
CLINTON 1 0 0 0 0 0
0 1 1 0 1 0 0 1
Encrypted ballot:
Machine proves bothbits are the same.
1 0
David Wagner, UC Berkeley
Proving the Ballot Was Encrypted Correctly
GIULIANI
CLINTON 1 0 0 0 0
0 1 1 0 1 0 0 1
Encrypted ballot:
Machine proves bothbits are the same.
1 0 0
David Wagner, UC Berkeley
Proving the Ballot Was Encrypted Correctly
GIULIANI
CLINTON 1 0 0 0
0 1 1 0 1 0 0 1
Partially encrypted ballot:
1 0 0 0 (A transcript of an interactive proof thatthis contains a valid vote for Clinton)
David Wagner, UC Berkeley
Receipts That Reveal Nothing
GIULIANI
CLINTON 1 0 0 0
0 1
Printed on the receipt:
1 0 0 0
1 01 0 10
(A fake transcript of an interactive proofthat this contains a valid vote for Giuliani)
David Wagner, UC Berkeley
Putting it Together: Neff’s Scheme
Machine interactively proves that the encrypted ballot accurately captures the voter’s intent
Machine prints (real and fake) proof-transcripts onto a paper receipt retained by the voter
Machine publicly posts image of receipt Voter checks that her receipt was publicly posted Trustees decrypt and tally all posted receipts using
re-encryption mixes and threshold decryption
David Wagner, UC Berkeley
Security Properties of [Neff]
• Integrity: Voters can use their receipt to confirm that their votes were recorded and counted as intended
• Privacy: Voters cannot sell their vote or be coerced(the receipt provides no information about their vote,since all transcripts on receipt can be simulated)
• No reliance on software!
David Wagner, UC Berkeley
A Better Paper Ballot [CRS]
Epk(o)
OFFICIAL BALLOT
Candidates listed inrandom order o
PRESIDENT
RUDY GIULIANIHILARY CLINTON
Right halfLeft half
David Wagner, UC Berkeley
A Better Paper Ballot [CRS]
Epk(o)
OFFICIAL BALLOT
PRESIDENT
RUDY GIULIANIHILARY CLINTON
David Wagner, UC Berkeley
A Better Paper Ballot, With Receipt
Epk(o)
OFFICIAL BALLOT
PRESIDENT
RUDY GIULIANIHILARY CLINTON
Epk(o)
Carbon paper
Top layer
David Wagner, UC Berkeley
A Marked Ballot
Epk(o)
OFFICIAL BALLOT
PRESIDENT
RUDY GIULIANIHILARY CLINTON
Epk(o)
David Wagner, UC Berkeley
The Receipt Is Torn Off
Epk(o)
OFFICIAL BALLOT
PRESIDENT
RUDY GIULIANIHILARY CLINTON
Epk(o)
Retained by voter
Deposited into ballot box
David Wagner, UC Berkeley
• The ballot is deposited into the ballot box• The left side of the ballot is digitally scanned and this
image is posted publicly• Ballots can be hand-counted or
electronically counted
Ballot box
Casting the Ballot
David Wagner, UC Berkeley
Verfiably Correct Tallying
• Voters check that a picture of their receipt appears on the public bulletin board
• Trustees shuffle and decrypt receipts using re-encryption mixes and threshold decryption
• Everyone verifies that trustees performed tallying correctly by checking ZK proofs
David Wagner, UC Berkeley
Security Properties of [CRS]
• Integrity: Voters can use their receipt to confirm that their votes were recorded and counted as intended
• Privacy: Voters cannot sell their vote or be coerced(the receipt provides no information about their vote)
• No reliance on software!
David Wagner, UC Berkeley
Potential Challenges in the Real World
• Human factors and voter training(voters will have to learn how to use new ballots;will voters make more mistakes?)
• Accessibility(lacks verifiability for visually impaired voters)
• Public confidence in hairy math(most voters and officials won’t understand the crypto)
David Wagner, UC Berkeley
In Summary
• Can build voting machines whose correctness is—at least in principle—not dependent on software.
• Practical feasibility still uncertain, but worth a shot.An exciting field with many beautiful ideas.
• Humans can verify that complex cryptographic computations were performed correctly. Wow!